Glean Agent Security Risks

Work Copilot Agents glean.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (4.88) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.89
Critical
Attack Surface
4.88
Medium
Blast Radius
3.63
Medium
Defense Controls
8
Medium
About The Agent

Glean is a cloud-hosted enterprise AI search and work automation platform deployed as single-tenant SaaS on operator-selected cloud infrastructure. The same operator-scoped runtime drives semantic search across more than a hundred app connectors, an Agent Builder for custom workflow agents, an Agent Sandbox with shell and code interpreter tools, and programmatic tool calling that chains tool invocations inside an isolated sandbox session. Every channel feeds the same LLM reasoning loop with OAuth-scoped access to the connected enterprise data estate.

About the AI Risk Quadrant

Strong Lightweights agents combine a moderate attack surface with a contained blast radius and partial defense controls. Glean falls into this quadrant because sandbox isolation with network egress disabled by default constrains execution-level impact, but the Protect+ AI security guardrails that provide content-level input filtering and output scanning ship as an add-on rather than a default. OAuth-scoped credential access across the connected application ecosystem is the primary residual blast vector on the documented default configuration.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Glean presents a moderate attack surface with contained blast radius on its default configuration, where sandbox isolation constrains execution impact but absent default input and output guardrails leave the content-level filtering gap to the optional Protect+ add-on.

Key Input Risks
Glean accepts prompts and retrieves documents across a broad connector ecosystem, web search, API, SDK, and MCP channels without content-level input filtering at the base tier. Operators should purchase and activate Protect+ to gain prompt injection scanning, which is not active in the default configuration. [5][7]
Key Execution Risks
The Agent Sandbox runs a shell and Python interpreter in per-tenant per-session isolation with outbound network blocked by default. Code Writer operates in gVisor-sandboxed pods with non-root execution and a domain-allowlisted proxy. Organizations requiring higher assurance should commission an independent penetration test of the sandbox boundary, as no public third-party assessment has been published. [8][9]
Key Action Risks
Write actions in connected apps require user confirmation by default, but scheduled trigger agents can run background actions under admin-configurable approval policies. OAuth-scoped connectors grant read and write access to email, messaging, ticketing, and CRM systems across the connected ecosystem. [10][11]
Key Output Risks
Agents emit Slack DMs, emails, tickets, and integration writes through the Actions framework without output-level DLP or redaction at the base tier. The Protect+ add-on adds malicious code and toxic content scanning, but these controls are opt-in. At the base tier, operators should implement downstream DLP rules on the receiving applications to catch sensitive content until Protect+ is activated. [5][6]
Key Monitoring Risks
Structured audit logs ship across all tiers with CloudWatch and BigQuery integration for SIEM forwarding. Protect+ adds a Findings dashboard for active violation triage, but anomaly detection for agent behavior and automated incident response remain operator-managed rather than built into the base configuration. [12][17]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Glean presents a moderate-risk profile where sandbox-constrained execution impact and managed configuration partially offset a broad connector-driven input surface and the absent default content-level filtering.

AIRQ Metrics

Infrastructure defenses contain blast radius, but the content-level gap at the base tier keeps the attack surface elevated. Residual risk concentrates in credential access breadth and unfiltered content pipelines.

Evidence base spans an independent enterprise AI security analysis naming the agent, peer-reviewed academic research on retrieval-augmented generation exploitation, vendor-published security architecture documentation with sandbox and isolation specifications, compliance certification registries, and a public bug bounty program through a managed disclosure platform. [1] Defense posture is grounded in vendor-documented defaults with the Protect+ add-on boundary as the primary analytical distinction between base and hardened configurations.

Metric Score Comments
AIRQ Score 3.89 Evidence base spans an independent agent-specific security analysis, peer-reviewed academic research on enterprise search exploitation patterns, vendor-published security architecture documentation, and compliance certification registries. Defense posture is grounded in vendor-documented defaults corroborated by the distinction between base tier and Protect+ add-on capabilities.
Blast Radius 3.63 / 10 Ephemeral sandbox sessions with blocked outbound traffic constrain code execution, file system, and network blast factors to contained levels. OAuth-scoped credential access spanning the enterprise application catalog is the primary blast vector, with autonomous background actions as a secondary concern.
Attack Surface 4.88 / 10 A wide connector-driven input surface and unvalidated external data ingestion dominate, with model-agnostic LLM delegation and autonomous scheduling as contributing factors. The sandbox boundary and managed admin console partially constrain tool execution and configuration.
Defense Controls 8 / 15 Sandbox isolation, Code Writer gVisor containers, action confirmation defaults, and structured audit logging form a partial defense posture. Content-level input filtering and output scanning are absent at the base tier; Protect+ closes those gaps but ships as an opt-in upgrade.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures for Glean are its unfiltered multi-channel input ingestion, model-agnostic LLM delegation to interchangeable external providers, and autonomous orchestration through cron-scheduled and content-driven triggers that operate without per-invocation operator review.

Attack Surface Metrics

The dominant architectural pattern is broad multi-channel exposure across the input and autonomy surfaces (User Input, External Data, Reasoning, Planning, Orchestration) constrained by sandbox isolation and managed boundaries at the execution layer (Tool Execution, Inter-Agent, Output Processing, Memory). Configuration scores lowest due to the managed Admin Console model.

The ten attack surfaces quantify where adversarial input can reach the agent reasoning loop and how broadly it can steer behavior. The connector-driven architecture creates a wide input surface across the enterprise data estate, while the sandbox model constrains the execution boundary. Scoring reflects the documented default configuration where Protect+ guardrails are not enabled and the base tier provides permission enforcement but not content-level filtering.

Surface Score Comments
User Input 3 / 4 Accepts prompts via web UI, REST API, Python SDK, and MCP servers with no content-level input validation at the base tier. The Protect+ add-on provides ML-based prompt injection detection reporting vendor-benchmarked accuracy, but it is not enabled by default. Content triggers and scheduled triggers accept input without per-invocation user review. Industry frameworks identify prompt injection as the top risk for LLM-integrated enterprise search systems in this class. [4][5][7]
External Data 3 / 4 Pulls content from a broad connector ecosystem spanning email, messaging, code repositories, and document stores. Permission enforcement gates retrieval at the source level, but no content validation scans ingested documents for embedded injection payloads before they enter the retrieval pipeline. Independent analysis documented how the search layer can synthesize sensitive outputs across individually permissible sources, and peer-reviewed research demonstrated indirect prompt injection against retrieval-augmented generation systems in the same class. [2][3][13]
Memory 2 / 4 Enterprise Memory persists tool-use heuristics and skill discovery patterns across sessions. The Knowledge Graph and Unified Index maintain persistent enterprise-wide context. Per-run step memory is session-scoped and configurable. Memory writes are automated through platform heuristics rather than arbitrary user content injection. [17][18]
Reasoning 3 / 4 Model-agnostic architecture delegates reasoning to interchangeable external LLMs through the Model Hub, where customers select from multiple providers or bring their own keys. Debug and Trace Views offer limited reasoning transparency, but the reasoning boundary inherits the security properties of whichever third-party model the operator selects. [7][14]
Planning 3 / 4 Auto Mode agents plan and execute autonomously with task decomposition across sub-agents. Scheduled triggers run agent workflows on cron schedules without per-run user initiation. Write-action approval is admin-configurable, creating a planning surface that operates outside operator oversight when background execution is active. [10][15]
Tool Execution 2 / 4 Agent Sandbox provides shell and code interpreter in tenant-scoped per-session isolation with blocked outbound traffic and permission-aware retrieval. Programmatic Tool Calling enables chained invocations with a per-sandbox budget. Code Writer adds gVisor container isolation, non-root execution, and a domain-scoped proxy. [8][9]
Orchestration 3 / 4 Agent Builder supports sub-agent delegation, step-based workflow composition, and background execution. Scheduled and content triggers enable autonomous orchestration without per-invocation operator review. Auto Mode and Workflow Mode offer distinct orchestration patterns with varying levels of autonomy. [16][18]
Inter-Agent 2 / 4 MCP servers enable interoperability with external agent frameworks. The Agent Toolkit SDK supports integration with multiple third-party orchestration libraries. Sub-agents within Glean operate with restricted toolsets defined by the parent agent configuration. External agent communication is mediated through vendor-managed MCP endpoints. [8][18]
Output Processing 2 / 4 Agents emit messages, records, and integration writes to connected enterprise applications through the Actions framework. Protect+ adds malicious code and toxic content scanning at the output layer, but the base tier ships without DLP or URL sanitization. Sensitive content detection is available as a configurable Protect+ policy. [5][6]
Configuration 1 / 4 Agent configuration is managed through the Admin Console with role-based access controls. No auto-loaded configuration files from project directories or user-editable config paths. Custom Actions require admin approval before deployment. The managed marketplace model with admin review gates constrains the configuration attack surface. [11]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Glean ingests externally authored content from more than a hundred enterprise connectors, reads private enterprise data through OAuth-scoped access across the connected application ecosystem, and can transmit content externally through Actions that send messages, create emails, and write to connected applications.

Lethal Trifecta · Complete (3 of 3)

Glean exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Glean ingests content authored by parties other than the operator through enterprise app connectors that index email bodies, shared documents, chat messages, and code repository contents from external collaborators, as well as web search results and MCP interoperability channels. [2][7]
  • Sensitive data — Glean reads private and privileged enterprise data on behalf of the operator through OAuth-scoped connectors that index email content, calendar entries, documents, code repositories, CRM records, and messaging histories across the connected application ecosystem. [7][8]
  • External egress — Glean has default channels to transmit data beyond the operator trust boundary through Actions that create emails, send Slack DMs, post to ticketing systems, and write to connected applications, while the sandbox blocks outbound network only for code execution environments. [8][10]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Per-session sandbox isolation and blocked outbound traffic keep execution-level damage contained, while OAuth-scoped credential access across the connected application ecosystem remains the primary blast vector on the documented default configuration.

Blast Radius Metrics

Ephemeral sandbox sessions and blocked outbound traffic keep Code Execution, File System, and Network Access at the lowest band. Credential Access occupies the highest band due to broad OAuth-scoped connector delegation. Autonomous Action falls at a moderate level because of confirmation gates with admin-configurable overrides, and Deployment Access remains lowest with no documented infrastructure modification capability.

The six blast factors measure how far a compromised agent session can reach into operator-controlled resources. The sandbox architecture effectively constrains execution-level factors, but the OAuth-scoped connector model grants broad credential access that a compromised session could leverage through the existing Actions framework.

Factor Score Comments
Code execution 1 / 4 Agent Sandbox provides a sandboxed shell and Python interpreter in per-tenant per-session isolation. Code Writer operates in gVisor-protected Kubernetes pods running as non-root. Both environments are ephemeral with zero persistent state across sessions. [8][9]
File system access 1 / 4 Sandbox file system is scoped to the ephemeral session workspace with zero-day retention. Code Writer workspace is isolated per execution with no access to host or tenant-level persistent storage. No documented path traversal or escape from the sandbox file system boundary. [9]
Network access 1 / 4 The sandbox blocks outbound network by default. Code Writer routes traffic through a domain-allowlisted proxy restricting destinations to pre-approved hosts. Orchestrator-level tool calls pass through the platform managed infrastructure, not directly from execution environments. [8][9]
Credential access 3 / 4 The connector model delegates OAuth-scoped read and write access to API keys, tokens, and application credentials spanning the connected ecosystem. The broad catalog exposes email, messaging, CRM, code repositories, and document stores under the operator delegated scopes. [7][13]
Autonomous action 2 / 4 Write actions require user confirmation by default. Scheduled triggers can run background actions under admin-set approval policies, with admin and moderator gates governing which operations proceed unattended. No single-step confirmation bypass is documented. [10][11]
Deployment access 1 / 4 No documented capability to deploy code, modify infrastructure, or publish artifacts to production environments. Agents write to connected applications through managed Actions but vendor documentation does not describe any deployment or infrastructure modification capability. [10][11]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The Agent Sandbox and Code Writer isolation provide the strongest default defense, while content-level input and output guardrails remain gated behind the optional Protect+ add-on and do not ship in the base configuration.

Defense Controls Metrics

Execution Isolation, Action Controls, and Monitoring score at the mid-tier, providing documented infrastructure-level defense in the default deployment. Input Guardrails and Output Guardrails score lowest because content-level filtering requires the Protect+ add-on and does not ship as a default. For deployment decisions, this means the base tier protects the execution boundary but leaves the content pipeline unguarded.

The primary analytical distinction for Glean is the boundary between the base Protect tier, which provides infrastructure-level isolation and action confirmation, and the Protect+ add-on, which introduces content-level input filtering and output scanning. Opt-in mitigations are not counted toward the score; they reappear as hardening tips that an operator can layer on top of the default posture.

Component Score Comments
Input Guardrails 1 / 3 The base tier enforces source-level permissions through the connector model but does not filter or scan prompt content. Protect+ introduces ML-based prompt injection detection with vendor-benchmarked accuracy, agent alignment models, and restricted topic policies, but ships as an opt-in upgrade. [5][7]
Execution Isolation 2 / 3 Single-tenant infrastructure provides tenant-level isolation. The Agent Sandbox runs per-session environments with all outbound traffic blocked. Code Writer layers gVisor container isolation, non-root execution, a domain-allowlisted proxy, and ephemeral workspaces with zero-day retention on top. [8][9]
Action Controls 2 / 3 The platform defaults to user confirmation for write actions. Scheduled triggers operate under admin-set approval policies with admin and moderator gate governance. No single-step confirmation bypass appears in the vendor security documentation. [10][11]
Output Guardrails 1 / 3 The base tier ships without output-level controls. Protect+ adds scanning for malicious code, toxic content, and sensitive data, but none of these are active by default. No DLP or redaction mechanism ships in the base configuration for agent-generated content. [5][6]
Monitoring 2 / 3 Structured audit logs ship across all tiers. CloudWatch and BigQuery integration supports SIEM forwarding for customer-hosted environments. The Protect+ tier surfaces a Findings dashboard for violation investigation. Debug and Trace Views expose per-session reasoning steps for operator review. [12][17]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. The highest-impact hardening actions for Glean center on enabling Protect+ to close the input and output guardrail gap at the base tier, restricting scheduled trigger approval policies to prevent autonomous action scope creep, and configuring SIEM integration for centralized agent behavior monitoring.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Enable the Protect+ add-on to activate ML-based prompt injection detection and agent alignment models across all agent interactions — counters the absent default input filtering at the base tier.
  • Configuration Configure restricted topic policies in Protect+ to block sensitive query categories before they reach the LLM reasoning loop — counters the unrestricted prompt acceptance surface.
  • Engineering Implement content validation for high-risk connectors that ingest externally authored documents to detect embedded injection payloads before retrieval — counters the unvalidated external data ingestion pipeline.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Maintain the Agent Sandbox default of network egress disabled and audit any admin overrides through the governance dashboard — counters potential expansion of the sandbox network boundary.
  • Configuration Restrict Programmatic Tool Calling budgets to the minimum required tool calls per sandbox session — counters the broad tool execution surface within the isolated environment.
  • Engineering Deploy customer-hosted environments with VPC isolation and private endpoints to add a network-level boundary around the deployment — counters the shared-infrastructure risk in vendor-hosted deployments.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require explicit admin approval for all scheduled trigger write actions rather than using auto-approve policies — counters the autonomous action surface through background agent execution.
  • Configuration Enable moderator gate review for all publishing and external communication actions — counters the outbound data path through connected enterprise applications.
  • Engineering Audit the Actions allowlist quarterly to remove unused write-capable integrations — counters credential access scope creep through accumulated OAuth-scoped connectors.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Enable Protect+ output scanning policies for malicious code detection and toxic content filtering across all agent output channels — counters the absent default output controls at the base tier.
  • Configuration Configure sensitive content detection policies to prevent agent-generated responses from surfacing restricted data categories — counters the data aggregation risk identified in the Knostic oversharing analysis [3].
  • Engineering Implement downstream validation for agent-generated content that triggers write actions in connected enterprise applications — counters the unfiltered output path to external systems.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Configure SIEM forwarding through CloudWatch or BigQuery integration to centralize agent audit logs with the security monitoring infrastructure — counters the operator-managed monitoring gap at the base tier.
  • Configuration Enable the Protect+ Findings dashboard and configure alert thresholds for prompt injection attempts and policy violations — counters the passive audit log posture without active anomaly detection.
  • Engineering Implement automated response playbooks triggered by anomalous patterns such as bulk data retrieval spikes or unusual cross-connector access sequences in SIEM correlation — counters the manual triage dependency for agent security events.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Glean Technologies Bug Bounty Program Public bug bounty program through Bugcrowd covering web and mobile targets. Search of NVD, GHSA, and OSV returned zero agent-specific CVEs as of assessment date

Selected Research

  1. Glean data security and oversharing risks Independent analysis of how Glean LLM-powered search can synthesize sensitive outputs by combining individually permissible but contextually inappropriate content
  2. Indirect prompt injection overcoming the retrieval barrier in RAG and agentic systems Peer-reviewed USENIX Security paper demonstrating end-to-end indirect prompt injection against RAG and agentic systems with near-perfect retrieval rates
  3. OWASP Top 10 for LLM Applications 2025 Industry framework identifying prompt injection and vector and embedding weaknesses as top risks for LLM-integrated enterprise search systems
  4. AI security model benchmarks for prompt injection detection Vendor-published benchmarks reporting detection accuracy of dedicated AI security models available as Protect+ add-on capabilities

Vendor Documentation

  1. Glean Security page The vendor primary security landing page describes the Protect platform and single-tenant deployment options
  2. Glean Protect and Protect+ feature comparison The vendor feature comparison documents which AI security guardrails ship in the base tier versus the Protect+ add-on
  3. Agent Sandbox and Programmatic Tool Calling Per-tenant per-session sandbox isolation architecture with network egress disabled by default and permission-aware retrieval
  4. Code Writer Security Overview gVisor-sandboxed Kubernetes pods with non-root execution and domain-allowlisted outbound proxy for code generation workloads
  5. Security best practices for scheduled triggers agents Admin and moderator gate governance controlling which write actions can proceed without user confirmation in background execution
  6. Glean legal and compliance page SOC 2 Type II, ISO 27001, ISO 42001 certifications, HIPAA BAA availability, and GDPR DPA with Standard Contractual Clauses
  7. AWS log monitoring for Glean environments CloudWatch audit-log group integration and SIEM ingestion mechanisms for customer-hosted AWS deployments
  8. Glean connector ecosystem overview The vendor documents the connector catalog with architecture details for enterprise application data ingestion
  9. Glean Model Hub configuration The vendor documents LLM provider selection and customer-managed key configuration through the Model Hub
  10. Glean scheduled triggers documentation The vendor documents cron-scheduled agent execution with configurable approval policies for background workflows
  11. Glean Agent Builder documentation The vendor documents the no-code workflow builder with sub-agent delegation and step-based orchestration

Other Sources

  1. Glean context management and enterprise memory The vendor engineering blog describes how programmatic tool calling and sub-agents manage context across agent sessions
  2. Glean AWARE framework and agentic security The vendor introduces the AWARE framework alongside Databricks and Palo Alto Networks mapping Protect capabilities to each dimension